Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: RE: webapp audit and forensics

from [f_kenisky] Network Security [Permanent Link]
Subject: Re: RE: webapp audit and forensics
Date: 20 Oct 2005 14:10:49 -0000 
Damn mouse!

I have to put my two cents worth.

Of course you do all of what I'm about to tell you after you've sent them an 
engagement letter outlining what you understand they've contracted you for.  
This helps, as you don't want any misunderstanding when you bill them.

First of all you need to ask a lot of questions before you can even begin to 
write up a plan.  How can you write up a plan if you don't know what to plan 
for?  You can't.  That's what they refer to as pre audit planning.

Second gather some crucial information:
    Obtain a network topology
    Obtain prior audit reports / findings
    Obtain the application documentation
    Note a organization chart to determine where the change controls exist.  
This is very important.
    Determine their set up.
        is the web out sourced
        did they create the app themselves
        is the app obtained by a 3rd party
        do they have the proper licenses
        google for any vulnerabilities for this app
        what type of platform are they using
        what is the os
        who maintains their os
        is their os maintained
These are just a few questions to ask.  Then once this is complete you need to 
probably do a simple discovery from the inside and the outside (nmap).

Then do a scan of the specific box (nessus).

Then if depending upon how much money you're going to charge you can use an 
open source web app scanning tool (Foundstone has a bunch of cool tools) which 
probably will be sufficient for a small to very medium sized company.  
Otherwise you need to consider a small investment in something more commercial 
like Cenzic or SPI.

Then you might want to test some of the findings from your nessus or web scans 
with something like Metasploit that will really but the fear into them.

And finally to put the finishing touches on your engagement you probably need 
to write up a report with your findings and recommendations along with your 
bill.

What you charge is what your time is worth.  If you didn't know to do the 
things I've outlined you're not very experienced.  If you did and just want to 
confirm with the experts then your time is a bit more valuable.

No one here can tell you what you need to charge.  It's your time.

Frank Kenisky IV, CISSP, CISA, CISM
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: webapp audit and forensics, Jason Gregson
Next by Date:  Re: webapp audit and forensics, crazy frog crazy frog
Previous by Thread:  RE: webapp audit and forensics, Jason Gregson
Next by Thread:  CFP: The First International Conference on Availability, Reliability and Security (AReS 2006), 20-22 April, 2006, Vienna, Austria, Manh Tho
Indexes:  [Date] [Thread] [Top] [All Lists]